1952651 – containers do not run in Fedora 34 IoT

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1952651 - containers do not run in Fedora 34 IoT

Summary: containers do not run in Fedora 34 IoT

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	container-selinux
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	IoT
TreeView+	depends on / blocked

Reported:	2021-04-22 18:09 UTC by Dennis Gilmore
Modified:	2023-09-12 03:55 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-06-11 13:02:38 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dennis Gilmore 2021-04-22 18:09:52 UTC

Description of problem:

running a podman command to run homeassistant on Fedora 34 IoT networking does not work.


Version-Release number of selected component (if applicable):

libselinux-3.2-1.fc34.aarch64
libselinux-utils-3.2-1.fc34.aarch64
rpm-plugin-selinux-4.16.1.3-1.fc34.aarch64
selinux-policy-34-1.fc34.noarch
selinux-policy-targeted-34-1.fc34.noarch
container-selinux-2.158.0-1.gite78ac4f.fc34.noarch
python3-libselinux-3.2-1.fc34.aarch64
podman-plugins-3.1.0-1.fc34.aarch64
podman-3.1.0-1.fc34.aarch64

How reproducible:


Steps to Reproduce:
on a fedora 34 IoT system run 
1. podman run --init -d   --name homeassistant   --restart=unless-stopped   -v /etc/localtime:/etc/localtime:ro   -v /home/homeassistant:/config   --network=host   homeassistant/home-assistant:stable
2.
3.

Actual results:
the container does not work, after switching from enforcing to permissive mode I see

type=AVC msg=audit(1619112380.373:899666): avc:  denied  { write } for  pid=552924 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.163:899668): avc:  denied  { write } for  pid=552939 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112384.163:899669): avc:  denied  { add_name } for  pid=552939 comm="python3" name="deps" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112384.163:899670): avc:  denied  { create } for  pid=552939 comm="python3" name="deps" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112384.563:899672): avc:  denied  { create } for  pid=552939 comm="python3" name="configuration.yaml" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.563:899673): avc:  denied  { write open } for  pid=552939 comm="python3" path="/config/configuration.yaml" dev="mmcblk0p3" ino=259891 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.563:899674): avc:  denied  { ioctl } for  pid=552939 comm="python3" path="/config/configuration.yaml" dev="mmcblk0p3" ino=259891 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.583:899675): avc:  denied  { read } for  pid=552939 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112396.543:899676): avc:  denied  { write } for  pid=553352 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112400.723:899678): avc:  denied  { write } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112400.723:899680): avc:  denied  { read } for  pid=553368 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112400.723:899681): avc:  denied  { open } for  pid=553368 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112400.723:899682): avc:  denied  { ioctl } for  pid=553368 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.263:899683): avc:  denied  { add_name } for  pid=553368 comm="python3" name="home-assistant_v2.db" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112402.263:899684): avc:  denied  { create } for  pid=553368 comm="python3" name="home-assistant_v2.db" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.263:899685): avc:  denied  { write } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.283:899686): avc:  denied  { lock } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.283:899687): avc:  denied  { setattr } for  pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.293:899688): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112402.293:899689): avc:  denied  { unlink } for  pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.303:899690): avc:  denied  { map } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259902 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112404.593:899691): avc:  denied  { create } for  pid=553368 comm="python3" name=".cloud" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.353:899693): avc:  denied  { write } for  pid=553368 comm="python3" name="blueprints" dev="mmcblk0p3" ino=259908 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.353:899694): avc:  denied  { add_name } for  pid=553368 comm="python3" name="automation" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.363:899695): avc:  denied  { relabelfrom } for  pid=553368 comm="python3" name="motion_light.yaml" dev="mmcblk0p3" ino=259912 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112408.373:899696): avc:  denied  { setattr } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=259911 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.373:899697): avc:  denied  { relabelfrom } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=259911 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.423:899698): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="tmpfah9tsms" dev="mmcblk0p3" ino=259916 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.423:899699): avc:  denied  { rename } for  pid=553368 comm="python3" name="tmpfah9tsms" dev="mmcblk0p3" ino=259916 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.009:899720): avc:  denied  { read write } for  pid=553368 comm="python3" name="home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.009:899721): avc:  denied  { open } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.009:899722): avc:  denied  { lock } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.019:899723): avc:  denied  { create } for  pid=553368 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.019:899724): avc:  denied  { setattr } for  pid=553368 comm="python3" name="home-assistant_v2.db-wal" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.019:899725): avc:  denied  { map } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.049:899726): avc:  denied  { unlink } for  pid=553368 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113430.629:899727): avc:  denied  { write } for  pid=553368 comm="python3" name=".storage" dev="mmcblk0p3" ino=259915 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113430.629:899728): avc:  denied  { add_name } for  pid=553368 comm="python3" name="tmpxb6igo5e" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113430.629:899729): avc:  denied  { ioctl } for  pid=553368 comm="python3" path="/config/.storage/tmpxb6igo5e" dev="mmcblk0p3" ino=259921 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113430.629:899730): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="tmpxb6igo5e" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113430.639:899731): avc:  denied  { rename } for  pid=553368 comm="python3" name="tmpxb6igo5e" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113641.008:899734): avc:  denied  { write } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113641.008:899735): avc:  denied  { add_name } for  pid=553368 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113641.028:899736): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
 in the audit log. 

Expected results:

the container to run
Additional info:

Comment 1 Daniel Walsh 2021-04-23 10:12:31 UTC

You are attempting to leak and entire homedirectory into a container and SELinux is rightly blocking the access.  If you need to do this you need to disable SELinux container separation or play around with udica.

I would run the following command.

 podman run --init -d  --security-opt label=disable --name homeassistant   --restart=unless-stopped   --tz=local   -v /home/homeassistant:/config   --network=host   homeassistant/home-assistant:stable

BTW Notice the --tz flag.

Comment 2 Dennis Gilmore 2021-04-24 18:10:47 UTC

as the directory was just a directory containing config files I moved it to /var/lib/homeassistant

running "podman run --init -d   --name homeassistant   --restart=unless-stopped   -v /etc/localtime:/etc/localtime:ro   -v /var/lib/homeassistant:/config   --network=host   homeassistant/home-assistant:stable" I get:

type=AVC msg=audit(1619287263.705:547): avc:  denied  { write } for  pid=1780 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619287267.855:549): avc:  denied  { write } for  pid=1796 comm="python3" name="home-assistant.log" dev="mmcblk0p3" ino=259917 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287267.855:551): avc:  denied  { read } for  pid=1796 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287267.855:552): avc:  denied  { ioctl } for  pid=1796 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.915:553): avc:  denied  { lock } for  pid=1796 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.915:554): avc:  denied  { write } for  pid=1796 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1
type=AVC msg=audit(1619287268.915:555): avc:  denied  { add_name } for  pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1
type=AVC msg=audit(1619287268.915:556): avc:  denied  { create } for  pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.915:557): avc:  denied  { setattr } for  pid=1796 comm="python3" name="home-assistant_v2.db-wal" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.925:558): avc:  denied  { remove_name } for  pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1
type=AVC msg=audit(1619287268.925:559): avc:  denied  { unlink } for  pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287273.645:561): avc:  denied  { rename } for  pid=1796 comm="python3" name="tmpqq7mj4zg" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1


If instead I run "podman run --init -d   --name homeassistant   --restart=unless-stopped   -v /etc/localtime:/etc/localtime:ro   -v /var/lib/homeassistant:/config:Z   --network=host   homeassistant/home-assistant:stable" I still get one denial:

type=AVC msg=audit(1619287145.126:537): avc:  denied  { write } for  pid=1262 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c286,c789 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

should udevadm be able to run inside of a container?

Comment 3 Daniel Walsh 2021-04-26 22:52:47 UTC

Currently we block this via SELinux, writing to sysfs `uevent`.  I do not believe this is going to work the way you expect,  IE Devices will not appear on the hosts /dev.

You can disable SELinux separation to see if it works.  If it does, I could consider adding this allow rule.

Comment 4 Red Hat Bugzilla 2023-09-12 03:55:36 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.